Skip to content

Commit 23e6adc

Browse files
nunoplopesnunoplopes
committed
fix a couple hundred deref-after-free bugs due to .c_str() on a temporary string
1 parent 48a9def commit 23e6adc

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

64 files changed

+248
-229
lines changed

src/api/api_bv.cpp

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -117,7 +117,8 @@ Z3_ast Z3_API NAME(Z3_context c, unsigned i, Z3_ast n) { \
117117
Z3_sort s = Z3_get_sort(c, n);
118118
unsigned sz = Z3_get_bv_sort_size(c, s);
119119
rational max_bound = power(rational(2), sz);
120-
Z3_ast bound = Z3_mk_numeral(c, max_bound.to_string().c_str(), int_s);
120+
auto str = max_bound.to_string();
121+
Z3_ast bound = Z3_mk_numeral(c, str.c_str(), int_s);
121122
Z3_inc_ref(c, bound);
122123
Z3_ast zero = Z3_mk_int(c, 0, s);
123124
Z3_inc_ref(c, zero);

src/api/api_datalog.cpp

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -677,9 +677,11 @@ extern "C" {
677677

678678
to_fixedpoint_ref(d)->ctx().get_rules_along_trace_as_formulas(rules, names);
679679
for (unsigned i = 0; i < names.size(); ++i) {
680-
ss << ";" << names[i].str();
680+
if (i != 0)
681+
ss << ';';
682+
ss << names[i].str();
681683
}
682-
return of_symbol(symbol(ss.str().substr(1).c_str()));
684+
return of_symbol(symbol(ss.str()));
683685
Z3_CATCH_RETURN(of_symbol(symbol::null));
684686
}
685687

src/api/api_numeral.cpp

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -191,7 +191,7 @@ extern "C" {
191191
if (ok && r.is_int() && !r.is_neg()) {
192192
std::stringstream strm;
193193
r.display_bin(strm, r.get_num_bits());
194-
return mk_c(c)->mk_external_string(strm.str().c_str());
194+
return mk_c(c)->mk_external_string(strm.str());
195195
}
196196
else {
197197
SET_ERROR_CODE(Z3_INVALID_ARG, nullptr);

src/api/api_params.cpp

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -66,7 +66,8 @@ extern "C" {
6666
Z3_TRY;
6767
LOG_Z3_params_set_bool(c, p, k, v);
6868
RESET_ERROR_CODE();
69-
to_params(p)->m_params.set_bool(norm_param_name(to_symbol(k)).c_str(), v);
69+
auto name = norm_param_name(to_symbol(k));
70+
to_params(p)->m_params.set_bool(name.c_str(), v);
7071
Z3_CATCH;
7172
}
7273

@@ -77,7 +78,8 @@ extern "C" {
7778
Z3_TRY;
7879
LOG_Z3_params_set_uint(c, p, k, v);
7980
RESET_ERROR_CODE();
80-
to_params(p)->m_params.set_uint(norm_param_name(to_symbol(k)).c_str(), v);
81+
auto name = norm_param_name(to_symbol(k));
82+
to_params(p)->m_params.set_uint(name.c_str(), v);
8183
Z3_CATCH;
8284
}
8385

@@ -88,7 +90,8 @@ extern "C" {
8890
Z3_TRY;
8991
LOG_Z3_params_set_double(c, p, k, v);
9092
RESET_ERROR_CODE();
91-
to_params(p)->m_params.set_double(norm_param_name(to_symbol(k)).c_str(), v);
93+
auto name = norm_param_name(to_symbol(k));
94+
to_params(p)->m_params.set_double(name.c_str(), v);
9295
Z3_CATCH;
9396
}
9497

@@ -99,7 +102,8 @@ extern "C" {
99102
Z3_TRY;
100103
LOG_Z3_params_set_symbol(c, p, k, v);
101104
RESET_ERROR_CODE();
102-
to_params(p)->m_params.set_sym(norm_param_name(to_symbol(k)).c_str(), to_symbol(v));
105+
auto name = norm_param_name(to_symbol(k));
106+
to_params(p)->m_params.set_sym(name.c_str(), to_symbol(v));
103107
Z3_CATCH;
104108
}
105109

src/api/c++/z3++.h

Lines changed: 7 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -74,7 +74,7 @@ namespace z3 {
7474

7575
inline void set_param(char const * param, char const * value) { Z3_global_param_set(param, value); }
7676
inline void set_param(char const * param, bool value) { Z3_global_param_set(param, value ? "true" : "false"); }
77-
inline void set_param(char const * param, int value) { std::ostringstream oss; oss << value; Z3_global_param_set(param, oss.str().c_str()); }
77+
inline void set_param(char const * param, int value) { auto str = std::to_string(value); Z3_global_param_set(param, str.c_str()); }
7878
inline void reset_params() { Z3_global_param_reset_all(); }
7979

8080
/**
@@ -122,9 +122,8 @@ namespace z3 {
122122
\brief Set global parameter \c param with integer \c value.
123123
*/
124124
void set(char const * param, int value) {
125-
std::ostringstream oss;
126-
oss << value;
127-
Z3_set_param_value(m_cfg, param, oss.str().c_str());
125+
auto str = std::to_string(value);
126+
Z3_set_param_value(m_cfg, param, str.c_str());
128127
}
129128
};
130129

@@ -211,9 +210,8 @@ namespace z3 {
211210
\brief Update global parameter \c param with Integer \c value.
212211
*/
213212
void set(char const * param, int value) {
214-
std::ostringstream oss;
215-
oss << value;
216-
Z3_update_param_value(m_ctx, param, oss.str().c_str());
213+
auto str = std::to_string(value);
214+
Z3_update_param_value(m_ctx, param, str.c_str());
217215
}
218216

219217
/**
@@ -2839,9 +2837,8 @@ namespace z3 {
28392837
}
28402838
handle add(expr const& e, unsigned weight) {
28412839
assert(e.is_bool());
2842-
std::stringstream strm;
2843-
strm << weight;
2844-
return handle(Z3_optimize_assert_soft(ctx(), m_opt, e, strm.str().c_str(), 0));
2840+
auto str = std::to_string(weight);
2841+
return handle(Z3_optimize_assert_soft(ctx(), m_opt, e, str.c_str(), 0));
28452842
}
28462843
void add(expr const& e, expr const& t) {
28472844
assert(e.is_bool());

src/ast/ast.h

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -126,6 +126,7 @@ class parameter {
126126
explicit parameter(rational && r) : m_kind(PARAM_RATIONAL), m_rational(alloc(rational, std::move(r))) {}
127127
explicit parameter(double d):m_kind(PARAM_DOUBLE), m_dval(d) {}
128128
explicit parameter(const char *s):m_kind(PARAM_SYMBOL), m_symbol(symbol(s)) {}
129+
explicit parameter(const std::string &s):m_kind(PARAM_SYMBOL), m_symbol(symbol(s)) {}
129130
explicit parameter(unsigned ext_id, bool):m_kind(PARAM_EXTERNAL), m_ext_id(ext_id) {}
130131
parameter(parameter const&);
131132

@@ -984,6 +985,7 @@ struct builtin_name {
984985
decl_kind m_kind;
985986
symbol m_name;
986987
builtin_name(char const * name, decl_kind k) : m_kind(k), m_name(name) {}
988+
builtin_name(const std::string &name, decl_kind k) : m_kind(k), m_name(name) {}
987989
};
988990

989991
/**

src/ast/ast_smt2_pp.cpp

Lines changed: 31 additions & 36 deletions
Original file line numberDiff line numberDiff line change
@@ -36,12 +36,12 @@ format * smt2_pp_environment::pp_fdecl_name(symbol const & s, unsigned & len, bo
3636
if (is_smt2_quoted_symbol(s)) {
3737
std::string str = mk_smt2_quoted_symbol(s);
3838
len = static_cast<unsigned>(str.length());
39-
return mk_string(m, str.c_str());
39+
return mk_string(m, str);
4040
}
4141
else if (s.is_numerical()) {
4242
std::string str = s.str();
4343
len = static_cast<unsigned>(str.length());
44-
return mk_string(m, str.c_str());
44+
return mk_string(m, str);
4545
}
4646
else if (!s.bare_str()) {
4747
len = 4;
@@ -114,7 +114,7 @@ format * smt2_pp_environment::pp_fdecl_params(format * fname, func_decl * f) {
114114
fs.push_back(mk_int(get_manager(), f->get_parameter(i).get_int()));
115115
else if (f->get_parameter(i).is_rational()) {
116116
std::string str = f->get_parameter(i).get_rational().to_string();
117-
fs.push_back(mk_string(get_manager(), str.c_str()));
117+
fs.push_back(mk_string(get_manager(), str));
118118
}
119119
else
120120
fs.push_back(pp_fdecl_ref(to_func_decl(f->get_parameter(i).get_ast())));
@@ -177,7 +177,7 @@ format * smt2_pp_environment::pp_bv_literal(app * t, bool use_bv_lits, bool bv_n
177177
format * vf;
178178
if (!use_bv_lits) {
179179
string_buffer<> buf;
180-
buf << "(_ bv" << val.to_string().c_str() << " " << bv_size << ")";
180+
buf << "(_ bv" << val.to_string() << ' ' << bv_size << ')';
181181
vf = mk_string(get_manager(), buf.c_str());
182182
}
183183
else {
@@ -238,30 +238,30 @@ format * smt2_pp_environment::pp_float_literal(app * t, bool use_bv_lits, bool u
238238
string_buffer<> buf;
239239
VERIFY(get_futil().is_numeral(t, v));
240240
if (fm.is_nan(v)) {
241-
buf << "(_ NaN " << v.get().get_ebits() << " " << v.get().get_sbits() << ")";
241+
buf << "(_ NaN " << v.get().get_ebits() << ' ' << v.get().get_sbits() << ')';
242242
return mk_string(m, buf.c_str());
243243
}
244244
else if (fm.is_pinf(v)) {
245-
buf << "(_ +oo " << v.get().get_ebits() << " " << v.get().get_sbits() << ")";
245+
buf << "(_ +oo " << v.get().get_ebits() << ' ' << v.get().get_sbits() << ')';
246246
return mk_string(m, buf.c_str());
247247
}
248248
else if (fm.is_ninf(v)) {
249-
buf << "(_ -oo " << v.get().get_ebits() << " " << v.get().get_sbits() << ")";
249+
buf << "(_ -oo " << v.get().get_ebits() << ' ' << v.get().get_sbits() << ')';
250250
return mk_string(m, buf.c_str());
251251
}
252252
else if (fm.is_pzero(v)) {
253-
buf << "(_ +zero " << v.get().get_ebits() << " " << v.get().get_sbits() << ")";
253+
buf << "(_ +zero " << v.get().get_ebits() << ' ' << v.get().get_sbits() << ')';
254254
return mk_string(m, buf.c_str());
255255
}
256256
else if (fm.is_nzero(v)) {
257-
buf << "(_ -zero " << v.get().get_ebits() << " " << v.get().get_sbits() << ")";
257+
buf << "(_ -zero " << v.get().get_ebits() << ' ' << v.get().get_sbits() << ')';
258258
return mk_string(m, buf.c_str());
259259
}
260260
else if (use_float_real_lits)
261261
{
262-
buf << "((_ to_fp " << v.get().get_ebits() << " " <<
262+
buf << "((_ to_fp " << v.get().get_ebits() << ' ' <<
263263
v.get().get_sbits() << ") RTZ " <<
264-
fm.to_string(v).c_str() << ")";
264+
fm.to_string(v) << ')';
265265
return mk_string(m, buf.c_str());
266266
}
267267
else {
@@ -301,9 +301,8 @@ format * smt2_pp_environment::mk_neg(format * f) const {
301301
format * smt2_pp_environment::mk_float(rational const & val) const {
302302
SASSERT(val.is_nonneg());
303303
SASSERT(val.is_int());
304-
std::string s = val.to_string();
305-
s += ".0";
306-
return mk_string(get_manager(), s.c_str());
304+
std::string s = val.to_string() + ".0";
305+
return mk_string(get_manager(), s);
307306
}
308307

309308
format * smt2_pp_environment::pp_arith_literal(app * t, bool decimal, unsigned decimal_prec) {
@@ -314,11 +313,11 @@ format * smt2_pp_environment::pp_arith_literal(app * t, bool decimal, unsigned d
314313
if (u.is_numeral(t, val, is_int)) {
315314
if (is_int) {
316315
if (val.is_nonneg()) {
317-
return mk_string(get_manager(), val.to_string().c_str());
316+
return mk_string(get_manager(), val.to_string());
318317
}
319318
else {
320319
val.neg();
321-
return mk_neg(mk_string(get_manager(), val.to_string().c_str()));
320+
return mk_neg(mk_string(get_manager(), val.to_string()));
322321
}
323322
}
324323
else {
@@ -332,7 +331,7 @@ format * smt2_pp_environment::pp_arith_literal(app * t, bool decimal, unsigned d
332331
else if (decimal) {
333332
std::ostringstream buffer;
334333
val.display_decimal(buffer, decimal_prec);
335-
vf = mk_string(get_manager(), buffer.str().c_str());
334+
vf = mk_string(get_manager(), buffer.str());
336335
}
337336
else {
338337
format * buffer[2] = { mk_float(numerator(val)), mk_float(denominator(val)) };
@@ -360,7 +359,7 @@ format * smt2_pp_environment::pp_arith_literal(app * t, bool decimal, unsigned d
360359
else {
361360
am.display_root_smt2(buffer, val2);
362361
}
363-
vf = mk_string(get_manager(), buffer.str().c_str());
362+
vf = mk_string(get_manager(), buffer.str());
364363
return is_neg ? mk_neg(vf) : vf;
365364
}
366365
}
@@ -380,16 +379,14 @@ format * smt2_pp_environment::pp_string_literal(app * t) {
380379
buffer << encs[i];
381380
}
382381
}
383-
buffer << "\"";
384-
return mk_string(get_manager(), buffer.str().c_str());
382+
buffer << '"';
383+
return mk_string(get_manager(), buffer.str());
385384
}
386385

387386
format * smt2_pp_environment::pp_datalog_literal(app * t) {
388387
uint64_t v;
389388
VERIFY (get_dlutil().is_numeral(t, v));
390-
std::ostringstream buffer;
391-
buffer << v;
392-
return mk_string(get_manager(), buffer.str().c_str());
389+
return mk_string(get_manager(), std::to_string(v));
393390
}
394391

395392
format_ns::format * smt2_pp_environment::pp_sort(sort * s) {
@@ -440,10 +437,10 @@ format_ns::format * smt2_pp_environment::pp_sort(sort * s) {
440437
for (unsigned i = 0; i < sz; i++) {
441438
fs.push_back(pp_sort(get_dtutil().get_datatype_parameter_sort(s, i)));
442439
}
443-
return mk_seq1(m, fs.begin(), fs.end(), f2f(), s->get_name().str().c_str());
440+
return mk_seq1(m, fs.begin(), fs.end(), f2f(), s->get_name().str());
444441
}
445442
}
446-
return format_ns::mk_string(get_manager(), s->get_name().str().c_str());
443+
return format_ns::mk_string(get_manager(), s->get_name().str());
447444
}
448445

449446
typedef app_ref_vector format_ref_vector;
@@ -557,9 +554,7 @@ class smt2_printer {
557554

558555
symbol ensure_quote_sym(symbol const& s) {
559556
if (is_smt2_quoted_symbol(s)) {
560-
std::string str;
561-
str = mk_smt2_quoted_symbol(s);
562-
return symbol(str.c_str());
557+
return symbol(mk_smt2_quoted_symbol(s));
563558
}
564559
else
565560
return s;
@@ -576,15 +571,15 @@ class smt2_printer {
576571
else {
577572
vname = s.str();
578573
}
579-
f = mk_string(m(), vname.c_str ());
574+
f = mk_string(m(), vname);
580575
}
581576
else {
582577
// fallback... it is not supposed to happen when the printer is correctly used.
583578
string_buffer<> buf;
584579
buf.append("(:var ");
585580
buf.append(v->get_idx());
586581
//buf.append(" ");
587-
//buf.append(v->get_sort()->get_name().str().c_str());
582+
//buf.append(v->get_sort()->get_name().str());
588583
buf.append(")");
589584
f = mk_string(m(), buf.c_str());
590585
}
@@ -604,7 +599,7 @@ class smt2_printer {
604599

605600
format * pp_simple_attribute(char const * attr, symbol const & s) {
606601
std::string str = ensure_quote(s);
607-
return mk_compose(m(), mk_string(m(), attr), mk_string(m(), str.c_str()));
602+
return mk_compose(m(), mk_string(m(), attr), mk_string(m(), str));
608603
}
609604

610605
format * pp_labels(bool is_pos, buffer<symbol> const & names, format * f) {
@@ -654,7 +649,7 @@ class smt2_printer {
654649
if (m_expr2alias->find(t, idx)) {
655650
unsigned lvl = m_aliased_lvls_names[idx].first;
656651
symbol const & s = m_aliased_lvls_names[idx].second;
657-
m_format_stack.push_back(mk_string(m(), s.str().c_str()));
652+
m_format_stack.push_back(mk_string(m(), s.str()));
658653
m_info_stack.push_back(info(lvl+1, 1, 1));
659654
return true;
660655
}
@@ -707,7 +702,7 @@ class smt2_printer {
707702
<< ", lvl: " << f_info.m_lvl << " t: #" << t->get_id() << "\n" << mk_ll_pp(t, m())
708703
<< ", is-shared: " << m_soccs.is_shared(t) << "\n";);
709704
register_alias(t, f, f_info.m_lvl, a);
710-
m_format_stack.push_back(mk_string(m(), a.str().c_str()));
705+
m_format_stack.push_back(mk_string(m(), a.str()));
711706
m_info_stack.push_back(info(f_info.m_lvl + 1, 1, 1));
712707
}
713708
else {
@@ -811,7 +806,7 @@ class smt2_printer {
811806
format * f_def[1] = { m_aliased_pps.get(i) };
812807
decls.reserve(lvl+1);
813808
ptr_vector<format> & lvl_decls = decls[lvl];
814-
lvl_decls.push_back(mk_seq1<format**, f2f>(m(), f_def, f_def+1, f2f(), f_name.str().c_str()));
809+
lvl_decls.push_back(mk_seq1<format**, f2f>(m(), f_def, f_def+1, f2f(), f_name.str()));
815810
}
816811
TRACE("pp_let", tout << "decls.size(): " << decls.size() << "\n";);
817812
ptr_buffer<format> buf;
@@ -919,9 +914,9 @@ class smt2_printer {
919914
var_name = mk_smt2_quoted_symbol (*it);
920915
}
921916
else {
922-
var_name = it->str ();
917+
var_name = it->str();
923918
}
924-
buf.push_back(mk_seq1<format**,f2f>(m(), fs, fs+1, f2f(), var_name.c_str ()));
919+
buf.push_back(mk_seq1<format**,f2f>(m(), fs, fs+1, f2f(), var_name));
925920
}
926921
return mk_seq5(m(), buf.begin(), buf.end(), f2f());
927922
}

src/ast/ast_smt_pp.cpp

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -62,7 +62,7 @@ symbol smt_renaming::fix_symbol(symbol s, int k) {
6262

6363
if (s.is_numerical()) {
6464
buffer << s << k;
65-
return symbol(buffer.str().c_str());
65+
return symbol(buffer.str());
6666
}
6767

6868
if (!s.bare_str()) {
@@ -78,7 +78,7 @@ symbol smt_renaming::fix_symbol(symbol s, int k) {
7878
buffer << "!" << k;
7979
}
8080

81-
return symbol(buffer.str().c_str());
81+
return symbol(buffer.str());
8282
}
8383

8484
bool smt_renaming::is_legal(char c) {

0 commit comments

Comments
 (0)